Example of SAP roles or user accounts with invalid authorizations
The policies on valid SAP authorizations have been changed. Now the new policies must be checked to see if existing authorizations comply. SAP roles and user accounts with invalid combinations of authorizations must be identified so that they can be modified to meet the new requirements.
An SAP function is created for each invalid authorization combination.
Table 2: Example of an authorization definition
|
F-A |
D1 |
S_TCODE |
TCD |
TR1,TR2 |
|
D2 |
AO2 |
NAME |
* |
|
D3 |
AO3 |
ACTVT |
04 |
| D3 |
AO3 |
NAME |
H_XYZ |
|
D4 |
AO3 |
ACTVT |
04 |
|
D4 |
AO3 |
NAME |
R* |
|
Condition: |
D1 AND D2 AND (D3 OR D4) |
|
F-B |
D1 |
S_TCODE |
TCD |
TR3 |
|
D2 |
S_TCODE |
TCD |
TR4,TR5 |
|
D3 |
AO4 |
ACTVT |
02 |
|
D3 |
AO4 |
NAME |
G |
|
D4 |
AO4 |
ACTVT |
02 |
|
D4 |
AO4 |
NAME |
* |
|
Condition: |
(D1 AND D3) OR (D2 AND D4) |
The following SAP roles are available:
Table 3: Defined SAP roles
|
R1 |
AO1 |
ACTVT |
* |
|
AO1 |
NAME |
* |
|
AO2 |
NAME |
GEF* |
|
AO3 |
ACTVT |
* |
|
AO3 |
NAME |
H_XYZ |
|
S_TCODE |
TCD |
TR1 |
|
R2 |
AO2 |
NAME |
* |
|
AO3 |
ACTVT |
01, 02, 04 |
|
AO3 |
NAME |
R_ST |
|
S_TCODE |
TCD |
TR4 |
|
R3 |
AO3 |
ACTVT |
04 |
|
AO3 |
NAME |
H_XYZ |
|
AO4 |
ACTVT |
02, 03 |
|
AO4 |
NAME |
* |
|
S_TCODE |
TCD |
TR6 |
|
R4 |
AO4 |
ACTVT |
02 |
|
AO4 |
NAME |
* |
|
S_TCODE |
TCD |
TR3 |
The composite role R5 is assigned the single roles R2 and R3.
Table 4: Defined composite role
|
R5 has the following authorizations via the single roles R2 and R2 |
AO2 |
NAME |
* |
|
AO3 |
ACTVT |
01, 02, 04 |
|
AO3 |
NAME |
R_ST |
|
S_TCODE |
TCD |
TR4 |
|
AO3 |
ACTVT |
04 |
|
AO3 |
NAME |
H_XYZ |
|
AO4 |
ACTVT |
02, 03 |
|
AO4 |
NAME |
* |
|
S_TCODE |
TCD |
TR6 |
The following user accounts are available:
-
User account AC1 with composite role R5
-
User account AC2 with SAP roles R2 and R3
AC2 then has the same authorizations as AC1.
-
User account AC3 with the SAP role R2
-
User account AC4 with the SAP role R3
The authorization check determines all SAP roles and user accounts that are assigned the authorization objects and values listed in the authorization definitions. These roles and user accounts match the SAP functions. The authorization check produces the following results if the TargetSystem | SAPR3 | SAPRights | TestWithoutTCD configuration parameter is set.
Table 5: Authorization check results
|
R1 |
match
The role fulfills the condition D1 AND D2 AND D3. |
no match |
|
R2 |
no match |
no match |
|
R3 |
no match |
no match |
|
R4 |
no match |
match
The role fulfills the condition D1 AND D3. |
|
R5 |
no match |
match
The role fulfills the condition D2 AND D4. |
|
AC1 |
no match |
match
The user account fulfills the condition D2 AND D4. |
|
AC2 |
no match |
match
The user account fulfills the condition D2 AND D4. |
|
AC3 |
no match |
no match |
|
AC4 |
no match |
no match |
The SAP roles R1 and R4 and the composite role R5 as well as the user accounts AC1 and AC2 so not comply with the new policies and must be adjusted.
The authorization check ignores the authorization object S_TCODE if the TargetSystem | SAPR3 | SAPRights | TestWithoutTCD is set. The following conditions therefore apply to the test:
-
F-A: D2 AND (D3 OR D4)
-
F-B: D3 OR D4
Table 6: Results of the authorization check if TestWithoutTCD is set
|
R1 |
match
The role fulfills the condition D2 AND D3. |
no match |
|
R2 |
match
The role fulfills the condition D2 AND D4.
|
no match |
|
R3 |
no match |
match
The role fulfills the condition D3 OR D4. |
|
R4 |
no match |
match
The role fulfills the condition D3 OR D4. |
|
R5 |
match
The role fulfills the condition D2 AND D3 as well as D2 AND D4. |
match
The role fulfills the condition D3 OR D4. |
|
AC1 |
match
The user account fulfills the condition D2 AND D3 as well as D2 AND D4. |
match
The user account fulfills the condition D3 OR D4. |
|
AC2 |
match
The user account fulfills the condition D2 AND D3 as well as D2 AND D4. |
match
The user account fulfills the condition D3 OR D4. |
|
AC3 |
match
The user account fulfills the condition D2 AND D4. |
no match |
|
AC4 |
no match |
match
The user account fulfills the condition D3 OR D4. |
If the TestWithoutTCD configuration parameter is set for the authorization check, then all SAP roles and user accounts match at least one SAP function and therefore do not comply with the new policies.
Example using different technical profiles
The decisive factor for the authorization check is whether a profile with multiple technical profiles belongs to one SAP role. The authorization check determines whether all the function elements and their values defined for an authorization object occur in a technical profile. If the authorization object has different values in different technical profiles, the SAP function does not find the role. The following example shows the difference.
Table 7: Defined SAP roles with technical profiles
|
R6 |
AO1 |
ACTVT |
02, 03 |
TP1 |
|
AO1 |
NAME |
* |
|
S_TCODE |
TCD |
TR1, TR2 |
|
R7 |
AO1 |
ACTVT |
02 |
TP2 |
|
AO1 |
NAME |
* |
|
S_TCODE |
TCD |
TR2 |
|
AO1 |
ACTVT |
03 |
TP3 |
|
AO1 |
NAME |
Z* |
|
S_TCODE |
TCD |
TR1 |
Table 8: Authorization definition
|
F-TP1 |
D1 |
S_TCODE |
TCD |
TR1 |
|
D1 |
S_TCODE |
TCD |
TR2 |
| D2 |
AO1 |
NAME |
* |
|
D3 |
AO1 |
ACTVT |
02 |
|
D3 |
AO1 |
ACTVT |
03 |
|
Condition: |
(D1 AND D2) OR (D2 AND D3) |
Results of the authorization check if the TestWithoutTCD configuration parameter is not set:
-
The SAP role R6 matches the SAP function because the technical profile TP1 fulfills the condition.
-
The SAP role R7 does not match the SAP function because S_TCODE with the value TR1 and S_TCODE with the value TR2 belong to different technical profiles. BO1 with the value 02 and BO1 with the value 03 also belong to different technical profiles.
-
The role R7 is also found by making the following adjustment to the SAP function:
Table 9: Authorization definition
|
F-TP2 |
D1 |
S_TCODE |
TCD |
TR1 |
|
D2 |
S_TCODE |
TCD |
TR2 |
| D3 |
AO1 |
NAME |
* |
|
D4 |
AO1 |
ACTVT |
02 |
|
D5 |
AO1 |
ACTVT |
03 |
|
Condition: |
(D1 AND D2 AND D3) OR (D3 AND D4 AND D5) |
Example of identities with invalid SAP authorizations
The aim is to check which identities have invalid authorizations.
-
Create a compliance rule that checks whether there are identities with SAP user accounts that match the SAP functions.
-
Create different SAP functions for authorizations that in combination are invalid. Create compliance rules that combine these SAP functions. The compliance check finds all identities that have such invalid authorization combinations over the sum of all authorizations of their SAP user accounts.
The following SAP roles are available:
Table 10: Defined SAP roles
|
R8 |
AO3 |
ACTVT |
01, 02, 04 |
TP1 |
|
AO3 |
NAME |
R_ST |
|
S_TCODE |
TCD |
TR4 |
TP2 |
|
R9 |
AO3 |
ACTVT |
04 |
TP1 |
|
AO3 |
NAME |
H_XYZ |
|
AO4 |
ACTVT |
02, 03 |
TP2 |
|
AO4 |
NAME |
* |
|
S_TCODE |
TCD |
TR6 |
TP3 |
|
R10 as a composite role with the single roles R8 and R9 |
AO3 |
ACTVT |
01, 02, 04 |
TP1-R8 |
|
AO3 |
NAME |
R_ST |
|
AO3 |
ACTVT |
04 |
TP1-R9 |
|
AO3 |
NAME |
H_XYZ |
|
AO4 |
ACTVT |
02, 03 |
TP2-R9 |
|
AO4 |
NAME |
* |
|
S_TCODE |
TCD |
TR4 |
TP2-R8 |
|
S_TCODE |
TCD |
TR6 |
TP3-R9 |
The following user accounts and identities are available:
-
User A with user account AC5 with the composite role R10
-
User B with user account AC6 with the SAP roles R8 and R9
-
User C with user account AC7 with the SAP role R8 and user account AC8 with the SAP role R9
An identity must not own the authorizations of R8 and R9 at the same time. A compliance rule CR-X finds all identities that match the SAP function F-C.
CR-X: The identity owns at least the SAP function F-C.
Table 11: Authorization definition for the SAP function F-C
|
F-C |
D1 |
S_TCODE |
TCD |
TR4 |
|
D2 |
S_TCODE |
TCD |
TR6 |
|
D3 |
AO3 |
ACTVT |
01,02,04 |
|
D3 |
AO3 |
NAME |
* |
|
D4 |
AO4 |
ACTVT |
02,03 |
|
D4 |
AO4 |
NAME |
* |
|
Condition: |
D1 AND D2 AND D3 AND D4 |
Results of the authorization check if the argetSystem | SAPR3 | SAPRights | TestWithoutTCD is not set.
Table 12: Authorization check results
|
R8 |
no match |
|
R9 |
no match |
|
R10 |
match |
|
AC5 |
match |
|
AC6 |
match |
|
AC7 |
no match |
|
AC8 |
no match |
Compliance check results:
-
User A violates the rule because the user account AC5 matches the SAP function F-C.
-
User B violates the rule because the user account AC6 matches the SAP function F-C.
-
User C does not violate the rule because the user accounts AC7 and AC8 do not match the SAP function F-C.
Viewed individually, user accounts AC7 and AC8 have valid authorizations. Only by linking these user accounts to an identity does the combination of these authorizations become invalid.
Compliance rules can detect invalid authorization combinations on identities. For them to do this, the SAP functions must be so structured that the user accounts AC7 and AC8 match. In the compliance rule, these SAP functions are combined so that identities with both user accounts violate the rule.
Table 13: Other SAP functions
|
F-D |
D1 |
S_TCODE |
TCD |
TR4 |
|
D2 |
AO3 |
ACTVT |
01,02,04 |
|
D2 |
AO3 |
NAME |
* |
|
Condition: |
D1 AND D2 |
|
F-E |
D1 |
S_TCODE |
TCD |
TR6 |
|
D2 |
AO3 |
ACTVT |
04 |
|
D2 |
AO3 |
NAME |
* |
|
D3 |
AO4 |
ACTVT |
02,03 |
|
D3 |
AO4 |
NAME |
* |
|
Condition: |
D1 AND D2 AND D3 |
Table 14: Authorization check results
|
R8 |
match |
no match |
|
R9 |
no match |
match |
|
R10 |
match |
match |
|
AC5 |
match |
match |
|
AC6 |
match |
match |
|
AC7 |
match |
no match |
|
AC8 |
no match |
match |
A compliance rule finds all identities that match both these SAP functions.
CR-Y: The identity owns at least the SAP function F-D AND the identity owns at least the at least the SAP function F-E.
Compliance check results:
-
User A violates the rule because the user account AC5 matches both the SAP functions.
-
User B violates the rule because the user account AC6 matches both the SAP functions.
-
User C violates the rule because the user account AC7 matches the SAP function F-D and the user account AC8 matches the SAP function F-E.
This means that the compliance rule CR-Y can be used to determine all identities that are assigned the SAP roles R8 and R9 through their user accounts.
Recommendations for setting up SAP functions
Requirements and policies within your company determine how SAP functions are set up, authorization definitions are created, and compliance rules are used. First consider what you want to achieve with the authorization check.
-
Determine every SAP role and profile with invalid combinations of authorizations.
-
To do this, create SAP functions that determine invalid authorization combinations. The authorization check identifies all SAP roles and user accounts where the sum total of their authorizations have this invalid combination of authorizations.
-
To find all identities that have access to such user accounts, create compliance rules for these SAP functions.
-
Find all identities that own invalid combinations of authorizations through their various SAP user accounts.
-
The single SAP roles and user accounts have valid authorizations. Only an identity having access to multiple user accounts causes invalid authorization combinations.
-
Create different SAP functions for authorizations that are valid on their own. It is the combination that makes these authorizations invalid, so only the combination of these SAP functions leads to a policy violations.
-
Create compliance rules that combine these SAP functions. Combine all SAP functions that together reveal invalid authorization combinations. The compliance check finds all identities that join such invalid authorization combinations across all their SAP user accounts.
TIP: If you create SAP functions for both use cases, you can use function categories to group the function definitions. This makes it easier to select SAP functions in the rule editor and displays function definitions in the Manager better.
Setting up SAP functions
Create function definitions, function instances, and variable sets for SAP functions. You can use an SAP function for different instances. To do this, use variables in the function definition. Fixed variable values are grouped in variable sets and used in the function instances.
A function definition contains the authorization definition as well as general main data. An authorization definition contains at least one authorization object. Each authorization object consists of at least one function element (activity or authorization field) with fixed values. These are given as single values or as upper and lower limits. Function elements can be listed more than once per authorization object.
If an authorization definition includes several authorization objects, use logical operators to determine how these authorization objects are linked. The function definition is used to save all the authorization object links as a condition. A function argument is generated for each authorization object to clearly identify the authorization objects in the condition. These function arguments are used to formulate the condition.
The following rules apply to function arguments:
-
Each function argument is permitted for use in an authorization definition for just one authorization object.
-
Each authorization object is assigned to exactly one function argument with its function elements and values.
-
An authorization object can be used multiple times with different values within an authorization definition. An new function argument is created for each instance.
-
Within a function definition, the names of the function arguments must be unique.
-
The name pattern for function arguments is defined in the TargetSystem | SAPR3 | SAPRights | AbilityNamePattern configuration parameter. If necessary, adjust the value of the configuration parameter to suit your requirements.
The following rules apply to conditions:
-
Permitted operators are AND, OR, and priority brackets ().
-
Permitted commentary characters are /* */ for multi-line comments and -- for single line comments.
Use variables for the values in the authorization definition. This means you can use a function definition for different function instances. The variables are provided in variable sets.
Function instances specify the client that uses the function definition and the specific values that apply to the test. To do this, assign values to the variables in a function instance and define the client.
To set up an SAP function
-
Create a function definition.
-
Create the authorization definition.
-
Consider the explanations for determining invalid authorizations.
-
Take the notes on authorization definitions into account.
-
(Optional) Use variables for the values or range limits.
-
(Optional) Provide a new name for the function arguments complying with the naming convention given in the TargetSystem | SAPR3 | SAPRights | AbilityNamePattern configuration parameter.
-
Check the condition in which the function arguments are logically linked.
-
(Optional) Assign mitigating controls to the function definition to be implemented when invalid authorizations are detected by the SAP function.
-
To be able to use the function definition for authorization checking, enable the working copy of this function definition.
-
Create at least one function instance for this function definition.
To find all the identities that match this SAP function through their SAP user accounts, apply the SAP function in compliance rules.
Detailed information about this topic
